The other side of mobile forensics

by Christa Miller On Jul 1, 2008

A cell phone isn't just a surface from which to lift a fingerprint, a device that reveals known associates, or even a repository of messages and images. There's another side to mobile forensics: service provider (or carrier) data, including call logs, undelivered messages and tower data — data that shows a cell user's location at the time of an incident. Matched with the information saved to the device, and mapped together with street names and landmarks, carrier data supplements and enhances device data. It can even break a case. Yet too often investigators overlook this critical evidence.

Carrier data: an evidence cornerstone

Most cell towers consist of poles that send and receive signals in three sectors: alpha (north-facing), beta (southeast) and gamma (southwest). This configuration makes it easier for carriers to improve service by covering an entire hexagonal "cell" within the network. It also enables them to identify which sector of the antenna (which side of the tower) communicated with a cellular device.

Carriers keep detailed call records of these communications for billing purposes, so the data includes information like date, call length, whether a call was inbound, outbound, or went to voicemail; the tower's number and location; and which antenna the call communicated with.

Tower data reveals whether the device was in motion or stationary. A person dialing from one location will hit the same side of the same tower, but a person on the go will hit different towers and different sides. As Kipp Loving, a former criminal investigator with the Stanislaus County (California) District Attorney's Office notes, a long call may make it difficult to tell where a subject went between two towers, but short messages paint a clearer picture of a travel path.

Janice Cree, a crime analyst with the Stockton (California) Police Department, stresses that "It is important to emphasize [that] tower information shows the sequence of the cell tower usage and not the location of the phone itself." This information is easily visualized on a map. "All of the towers in the area (not just the ones the phone accessed) should be included to show relativity. Once the tower data is completed, I insert the primary locations notated in the case file." More than that, she adds, and the map can lose clarity.

How carrier data applies

In an investigation, these kinds of data have important implications.

"Primarily, historical data can be used to place a phone within a geographical area at a specific time, identify call patterns, establish timelines and also identify co-conspirators," says Cree. "When applicable, the information also can be used to corroborate statements."

After-the-fact investigations aren't the only law enforcement aspects to utilize tower data, intelligence-gathering, anti-gang, narcotic and counterterrorism units can also benefit.

"One misconception is that you can only use this type of information after an incident has occurred," says Loving. "The fact is, if you have a suspect that you believe is involved in criminal activity and you would like to know where he was one week ago, you can contact the carrier to obtain that information without having to have any contact with the suspect. All you need is the suspect's cell phone number."

Tower data also comes into play during missing-persons searches. In one case, an aircraft that had lost radar contact in a remote part of Stanislaus County was located via its passengers' cell phones.

"We put a helicopter over the tower on the side that showed the last hit," says Loving. "Even though both passengers were deceased, to find the plane within 20 or 25 minutes instead of hours or even days worked to everyone's benefit."

Loving notes that as cell phone technology advances, the devices are frequently linked to unconventional crimes that test both existing statutes and legal precedents. Vehicular homicide, for example, virtually demands that a suspect's cell phone be seized and the call logs, SMS messages with their date/time stamps, etc. be preserved. This way, investigators can determine whether cell use, including "driving while texting," was a factor.

Carrier data challenges

While customer demand for better coverage — and thus more towers — remains high, Loving says many communities have limited tower build-out for a variety of reasons, including aesthetics, zoning and site problems, and even public health. That's why many carriers have begun to share tower space.

"It is not uncommon to find two or three different carriers at one location," Loving explains. "The simplest and fastest way to determine if multiple carriers exist at one location is to view the tower location. You will notice a group of antennae on the tower; and individual, bulletproof control rooms/buildings at the base."

This is important for investigators to know because collectible data doesn't go by tower; it goes by carrier. Each carrier maintains sets of information for different periods of time, ranging from six years to just 45 days for call detail reports, while text messages and voicemail typically last a week or less. Each carrier also has its own preferences for how it wants to receive and deal with subpoenas. Some may even charge money for records retrieval services.

Cree notes that even personnel changes can create difficulties. "Investigators may have had limited or no prior contact with service providers and have no idea where to start. They may not know what information is available to them or what the company's data preservation timeframe is," she says.

These factors can lead investigators to assume erroneously that they'll have a hard time getting a warrant, according to Lee Reiber, owner and lead instructor of Mobile Forensics Inc. But the trick isn't obtaining the warrant; it's doing so quickly enough.

The best way to accomplish this is to send a preservation letter. Such a letter asks carriers to pull and maintain data until a warrant can be obtained. Under U.S. Code Title 18 § 2703 (f), investigators can fax a written request to the carrier to preserve all data for a target phone number. The carrier must then hold the data for 90 days, and if requested, renew for 90 more days if the agency requires it. Often this allows investigators enough time to obtain a warrant.

"The preservation letter doesn't have to come from an attorney," notes Loving. "Most carriers will respond to a police department's letterhead."

The carrier data/device relationship

Reiber and Loving both advise that one set of evidence cannot exist independently of the other during a criminal investigation, for a variety of reasons.

First, no standards exist for cell phones. "The fact that different carriers utilize different technologies and have more than 100 different handsets on the market at any given time [makes] evidence collection/data recovery extremely challenging," says Loving.

Reiber agrees, saying that manufacturers are unlikely to ever standardize their equipment. "To stay competitive, they cannot standardize things like memory and connectors, and they are constantly improving the technology for faster data and better storage," he explains. "So whereas a computer's hard drive is static and easy to image, investigators would have to budget thousands of dollars in software upgrades alone to keep up with cell device manufacturers." Hence, the need to work with carriers to obtain data.

Conversely, tower data tells only part of the story. "One challenge law enforcement faces is identifying the specific user of a phone," says Cree. "The only way to positively identify a user is through personal statement, direct observation or audio identification."

For example, after the February 2006 murder of a California peace officer, tower data that showed the suspect fleeing the area was later tied to personal data in his phone's calendar. It was not enough that the officer was found clutching the vehicle's registration, or that tower data showed calls being made along the suspect's escape route; the suspect had even erased all inbound and outbound call logs.

The relationship between device and carrier data is even more intertwined when it comes to SMS (text) messages. Encoded using Protocol Description Unit (PDU) mode, a GSM standard, the SMS message contains much more than the message: it also includes "metadata," information on the phone number dialed, the date and time the message hit the service center, and the center's phone number. This data, which users can't view, is important to law enforcement. As Reiber explains, the carrier maintains the information that will help law enforcement identify the subscriber.

Mobile forensics. "Not only does it identify what carrier the device works on," says Loving, "it also reveals current and potentially deleted photos, text messages, call logs, voice and video recordings, and other evidence."

Phone manufacturers. "This comes into play when you find phones with the same capabilities, but [with] different software, since it works on a different carrier's system," says Loving.

In addition to device and carrier data, cell phones may provide access to other important information. A GPS-enabled device will have data logs associated with it, either from the cell carrier or from the third-party GPS carrier whose software has been downloaded to the phone.

The phone's registration will contain credit information and other applicable data. "Even a prepaid phone requires registration. Although a user can sign up as Mickey Mouse, personal information will be available," says Loving.

Reiber adds that it's important to record equipment identifiers, including the electronic serial number (ESN), the International Mobile Equipment Identity (IMEI) number, the handset model number itself and removable media such as Flash cards. "Information on a SIM is standardized by ETSI [the European Telecommunications Standards Institute] and 3GPP [3rd Generation Partnership Project]," he explains. "It is really the handset, the manufacturers and carriers who have different firmware that allocate different portions of storage areas for data, which are not necessarily standardized".

Pulling it all together

Mobile forensics is becoming increasingly complicated to navigate, even as it becomes more important in criminal investigations. Law enforcement agencies should thus ensure proper training for their personnel. In the last two years, Reiber has noticed an increase in the number of departments putting officers through courses. "Most local and state agencies remain mindful of their budgets, but they've also been allocating funds for training," he says.

Training is also important for first responders, who must know how to preserve both the phone and the evidence inside. It's not enough to seize the cell phone during an arrest; the officer must also immediately ensure that its data remains intact. Loving points out that an arrestee can use his one phone call to contact an associate, who can then log on to the carrier's Web site and delete information. If the phone is on, or turned on during an investigation, the data will be deleted as soon as it connects to the network.

Some investigators prefer to use a "Faraday cage," a signal disruption device that allows the phone to turn on without it connecting to the network. (Utah-based digital forensic solutions provider Paraben Corp. has designed a Faraday evidence bag that first responders can use to secure mobile devices.) Loving also recommends turning on the seized phone's "flight mode" feature, which enables the device's full functionality without a network connection.

Both Loving and Cree agree that the carriers themselves supply the other part of a solid investigation. "Today, most companies have a department assigned to handle law enforcement requests and maintain the level of confidentiality that investigations require," Cree says.

This represents a major change from even a few years ago. "The telecommunication business was designed to be consumer-driven, not a source of potential evidence used in the courts," she explains. "Additionally, the companies are required to protect their subscribers' privacy. Balancing the two requires personnel to assure legal compliance, as well as answer law enforcement questions, process requests and, when necessary, provide expert testimony."

To that end, Loving recommends developing a relationship with carriers' designated contacts and their supervisors. This can help smooth the growing degree of cooperation. She adds, "Having said that, it is law enforcement's responsibility to be aware of what information they can obtain from the companies, as well as understand the data they receive and how it can be used in their investigations."

Christa Miller is a Maine-based freelance writer who specializes in public safety. She can be contacted at christammiller@gmail.com.

Carrier data legalities

Many states make it possible for officers to search a subject's cell phone incident to arrest; some require a search warrant. To obtain carrier data, however, investigators almost always need a court order.

The good news: suspicious activity alone is enough. "Looking at records is not considered as intrusive as kicking down a door," says Loving. "If the license plate of a car seen near a burglary comes back to a woman whose boyfriend is on parole, that's enough to obtain a court order for their cell phone records. A search warrant also works if you can't locate a subject; it's possible to have the carrier ping the phone and receive feedback."

Still, Robert Morgester, California Deputy Attorney General with the Special Crimes Unit at the California Attorney General's Office says, "This area of law can get complex quickly. Depending on the type of records you are looking for, the process needed to get those records will vary. For example, basic subscriber records can be obtained with a subpoena. Historical files relating to cell phone location can be had with an articulable facts order. Reading e-mail or locating a person in real time requires a search warrant."

In most cases, investigators will have enough time to obtain a warrant for service providers' data. In some cases, however, exigent circumstances come into play. Here, warns Morgester, obtaining tower data can get even trickier. "The Patriot Act has an amendment that permits the provider to give information to law enforcement in the event of a missing child or homicide investigation — an 'emergency involving the risk of imminent death or serious physical injury,' " he says.

The key word is "permits." Prior to the amendment's passage, the federal Electronic Communications Privacy Act prohibited carriers from disclosing customers' private information, including the tower data that showed their whereabouts. Carriers who did provide that information, even in an emergency, could be sued in federal court.

The amendment in the Patriot Act, then, makes such disclosures allowable. "Emergencies with an imminent threat of death or serious physical injury were the reason why that change was made," says Morgester. Still, disclosure is not mandatory, nor do carriers have to follow up to ensure their customers' continued good behavior (as Web sites like MySpace have begun to do, largely to avoid regulation, he states).

Moreover, even allowable disclosures run afoul with state law because most states continue to preserve citizens' privacy. "In California, for example, tower and other data from service providers are protected," Morgester notes. "You are still required to have judicial approval regardless of the federal amendment."

That means a request on letterhead. In most cases, carriers will comply. "You have no legal remedy if they don't, but those who are not good corporate citizens want to avoid public embarrassment," says Morgester. Some providers require warrants, but will supply information in an emergency as long as the request is later backed up.

Some seemingly exigent circumstances still are not enough for forensic examinations of phones or other electronics. This is especially true of suicides. "An investigator might claim that the subject has a chance to be saved, or at least that the body can be recovered for the family," explains Morgester. "But ultimately, the individual's privacy supersedes all else."